zfs noexec override, sort of.
- From: Patrick Proniewski <patpro@xxxxxxxxxx>
- Date: Wed, 8 Feb 2012 13:28:36 +0100
Hi,
Not sure if it's a real security issue, or if it's a feature.
ZFS allows the admin to create noexec volumes, so that users won't be able to execute binaries sitting on these volume. But as soon as one of these binaries is available on a snapshot, it becomes available for the user to execute:
# zfs create tank/test-exec
# ls
test-exec
# zfs get -r exec tank/test-exec
NAME PROPERTY VALUE SOURCE
tank/test-exec exec off local
# cp /bin/ls /tank/test-exec/
# /tank/test-exec/ls
bash: /tank/test-exec/ls: Permission denied
# zfs snapshot tank/test-exec@noexec
# zfs get -r exec tank/test-exec
NAME PROPERTY VALUE SOURCE
tank/test-exec exec off local
tank/test-exec@noexec exec off inherited from tank/test-exec
# /tank/test-exec/.zfs/snapshot/noexec/ls
test-exec
Once the snapshot is accessed, it's mounted automatically, and gets back an exec=on property:
# zfs get -r exec tank/test-exec
NAME PROPERTY VALUE SOURCE
tank/test-exec exec off local
tank/test-exec@noexec exec on temporary
So it makes it very easy for a user to install and use binaries on a shared server where (for example) every home is a ZFS volume with daily snapshots.
regards,
patpro
- Prev by Date: Code contribution: Further development of a Security Suite for Unix/Linux (Anoubis) (fwd)
- Next by Date: periodic security run output gives false positives after 1 year
- Previous by thread: Code contribution: Further development of a Security Suite for Unix/Linux (Anoubis) (fwd)
- Next by thread: periodic security run output gives false positives after 1 year
- Index(es):
Relevant Pages
|
